Skip to main content

Facebook Open URL Redirection Vulnerability

By


About 2 week ago, I discovered an open url redirection vulnerability in Facebook that allowed me to have a facebook.com link redirect to any website without restrictions & users confirmation


Description:

[#] Title           :  Facebook Open URL Redirection 
[#] Status        :  fixed
[#] Severity     :  High
[#] Works on  :  Any browser with any version
[#] Homepage  : www.facebook.com
[#] Author       :  Jitendra Jaiswal ( India )


The flaw exists in the way facebook handled the u parameter. Visiting the link below would always redirect to the facebook homepage:
http://www.facebook.com/a.php?u=http%3A%2F%2Fjeet.com

 But I noticed that changing the url to a another url , for example:
http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com

 in that the target destination yahoo.com and it will redirect successfully:
http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com

 Facebook have the ability to filter and ban particular websites from redirecting using their automatic spam and malware analysis. But not all malware/spam can be caught by Facebook, and by the time a link is banned, an attacker would have already moved on to another link.

Video Proof of Concept:
Facebook responded  after 12 days my report, and they were quick to patch the flaw in about a week and a half. The payout for this bug is $1,000.

Jitendra Jaiswal

Comments

Post a Comment

Popular posts from this blog

HC WeB : A Browser for HACKERS...

By
A Browser for HACKERS... Try for Free... Download HC WeB Setup Gallery: Online Penetration Testing Tools Index Information Gathering Whois DNS Location Info Enumeration and Fingerprint Data Mining Search Engines Editors Online Text Editors Share Text Snippets Network Utilities Ping HTTP HTTPS VNC Remote Desktop SSH DNS Sniffers Misc Forensics Frameworks URL Cloaking E-mail Password Cracking Encoders and Decoders Encoders Decoders Malwares Malware Analysis Identify Malicious Websites Suspected Malicious IPs and URLs Application Auditing SQL Injection Cross Site Scripting File Inclusion Anonymity Proxy Others Hackery Open Penetration Testing Bookmarks Collection Hacker Media Blogs, Forums, Magazines and Videos. Methodologies Penetration testing frameworks, standards and methodologies. OSINT Presentations, People, Organizations and Infrastructure.  Exploits an...
Post a Comment
Read more

Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com

By
http://parse.com   directory traversal vulnerability Little Insight: http://parse.com  was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability  That  give me 5th position in Facebook white-hat Page Report Date :23  July 2014 Reward For Directory Traversal or RCE Vulnerability :  20000$ How This work......? As we discussed earlier on my old post  Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection    it only rejects '/../' segments in the request path.   patch apply for Rack::Protection acording CVE-2014-0130  and  also Reject now '%5C' turns into '\' af...
Post a Comment
Read more

xss in Microsoft mobile domain

By
Cookies xss in Microsoft mobile domain also it have xframe open vulnerability for click jacking Domain: m.microsoft.com Poc url steps for reproduce issue are same in both url so I am send both url and steps by using one of them Poc urls : 1.          http://m.microsoft.com/showcase/en/US/Search.mspx?a=results&mid=3900&phrase=%5burl%3djavascript:alert(document.cookie)%5dClick%20here%20to%20see%20Result%5b/url%5d&Search = 2.        http://m.microsoft.com/showcase/en/US/search?pageindex=sv1:2&phrase=[url%3djavascript:alert%28document.cookie%29]click%20here%20and%20see%20your%20result[/url ] Vulnerable parameter: phrase= Steps for reproduce issue Poc url http://m.microsoft.com/showcase/en/US/search?pageindex=sv1:2&phrase=[url%3djavascript:alert%28document.cookie%29]click%20here%20and%20see%20your%20result[/url ] when users use url .That give a result in Microsoft site lik...
Post a Comment
Read more